keycloak.Realm
Explore with Pulumi AI
Allows for creating and managing Realms within Keycloak.
A realm manages a logical collection of users, credentials, roles, and groups. Users log in to realms and can be federated from multiple sources.
Default Client Scopes
default_default_client_scopes
- (Optional) A list of default default client scopes to be used for client definitions. Defaults to[]
or keycloak’s built-in default default client-scopes.default_optional_client_scopes
- (Optional) A list of default optional client scopes to be used for client definitions. Defaults to[]
or keycloak’s built-in default optional client-scopes.
Example Usage
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
var realm = new Keycloak.Realm("realm", new()
{
AccessCodeLifespan = "1h",
Attributes =
{
{ "mycustomAttribute", "myCustomValue" },
},
DisplayName = "my realm",
DisplayNameHtml = "<b>my realm</b>",
Enabled = true,
Internationalization = new Keycloak.Inputs.RealmInternationalizationArgs
{
DefaultLocale = "en",
SupportedLocales = new[]
{
"en",
"de",
"es",
},
},
LoginTheme = "base",
PasswordPolicy = "upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername",
RealmName = "my-realm",
SecurityDefenses = new Keycloak.Inputs.RealmSecurityDefensesArgs
{
BruteForceDetection = new Keycloak.Inputs.RealmSecurityDefensesBruteForceDetectionArgs
{
FailureResetTimeSeconds = 43200,
MaxFailureWaitSeconds = 900,
MaxLoginFailures = 30,
MinimumQuickLoginWaitSeconds = 60,
PermanentLockout = false,
QuickLoginCheckMilliSeconds = 1000,
WaitIncrementSeconds = 60,
},
Headers = new Keycloak.Inputs.RealmSecurityDefensesHeadersArgs
{
ContentSecurityPolicy = "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
ContentSecurityPolicyReportOnly = "",
StrictTransportSecurity = "max-age=31536000; includeSubDomains",
XContentTypeOptions = "nosniff",
XFrameOptions = "DENY",
XRobotsTag = "none",
XXssProtection = "1; mode=block",
},
},
SmtpServer = new Keycloak.Inputs.RealmSmtpServerArgs
{
Auth = new Keycloak.Inputs.RealmSmtpServerAuthArgs
{
Password = "password",
Username = "tom",
},
From = "example@example.com",
Host = "smtp.example.com",
},
SslRequired = "external",
WebAuthnPolicy = new Keycloak.Inputs.RealmWebAuthnPolicyArgs
{
RelyingPartyEntityName = "Example",
RelyingPartyId = "keycloak.example.com",
SignatureAlgorithms = new[]
{
"ES256",
"RS256",
},
},
});
});
package main
import (
"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
AccessCodeLifespan: pulumi.String("1h"),
Attributes: pulumi.AnyMap{
"mycustomAttribute": pulumi.Any("myCustomValue"),
},
DisplayName: pulumi.String("my realm"),
DisplayNameHtml: pulumi.String("<b>my realm</b>"),
Enabled: pulumi.Bool(true),
Internationalization: &keycloak.RealmInternationalizationArgs{
DefaultLocale: pulumi.String("en"),
SupportedLocales: pulumi.StringArray{
pulumi.String("en"),
pulumi.String("de"),
pulumi.String("es"),
},
},
LoginTheme: pulumi.String("base"),
PasswordPolicy: pulumi.String("upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername"),
Realm: pulumi.String("my-realm"),
SecurityDefenses: &keycloak.RealmSecurityDefensesArgs{
BruteForceDetection: &keycloak.RealmSecurityDefensesBruteForceDetectionArgs{
FailureResetTimeSeconds: pulumi.Int(43200),
MaxFailureWaitSeconds: pulumi.Int(900),
MaxLoginFailures: pulumi.Int(30),
MinimumQuickLoginWaitSeconds: pulumi.Int(60),
PermanentLockout: pulumi.Bool(false),
QuickLoginCheckMilliSeconds: pulumi.Int(1000),
WaitIncrementSeconds: pulumi.Int(60),
},
Headers: &keycloak.RealmSecurityDefensesHeadersArgs{
ContentSecurityPolicy: pulumi.String("frame-src 'self'; frame-ancestors 'self'; object-src 'none';"),
ContentSecurityPolicyReportOnly: pulumi.String(""),
StrictTransportSecurity: pulumi.String("max-age=31536000; includeSubDomains"),
XContentTypeOptions: pulumi.String("nosniff"),
XFrameOptions: pulumi.String("DENY"),
XRobotsTag: pulumi.String("none"),
XXssProtection: pulumi.String("1; mode=block"),
},
},
SmtpServer: &keycloak.RealmSmtpServerArgs{
Auth: &keycloak.RealmSmtpServerAuthArgs{
Password: pulumi.String("password"),
Username: pulumi.String("tom"),
},
From: pulumi.String("example@example.com"),
Host: pulumi.String("smtp.example.com"),
},
SslRequired: pulumi.String("external"),
WebAuthnPolicy: &keycloak.RealmWebAuthnPolicyArgs{
RelyingPartyEntityName: pulumi.String("Example"),
RelyingPartyId: pulumi.String("keycloak.example.com"),
SignatureAlgorithms: pulumi.StringArray{
pulumi.String("ES256"),
pulumi.String("RS256"),
},
},
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.inputs.RealmInternationalizationArgs;
import com.pulumi.keycloak.inputs.RealmSecurityDefensesArgs;
import com.pulumi.keycloak.inputs.RealmSecurityDefensesBruteForceDetectionArgs;
import com.pulumi.keycloak.inputs.RealmSecurityDefensesHeadersArgs;
import com.pulumi.keycloak.inputs.RealmSmtpServerArgs;
import com.pulumi.keycloak.inputs.RealmSmtpServerAuthArgs;
import com.pulumi.keycloak.inputs.RealmWebAuthnPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var realm = new Realm("realm", RealmArgs.builder()
.accessCodeLifespan("1h")
.attributes(Map.of("mycustomAttribute", "myCustomValue"))
.displayName("my realm")
.displayNameHtml("<b>my realm</b>")
.enabled(true)
.internationalization(RealmInternationalizationArgs.builder()
.defaultLocale("en")
.supportedLocales(
"en",
"de",
"es")
.build())
.loginTheme("base")
.passwordPolicy("upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername")
.realm("my-realm")
.securityDefenses(RealmSecurityDefensesArgs.builder()
.bruteForceDetection(RealmSecurityDefensesBruteForceDetectionArgs.builder()
.failureResetTimeSeconds(43200)
.maxFailureWaitSeconds(900)
.maxLoginFailures(30)
.minimumQuickLoginWaitSeconds(60)
.permanentLockout(false)
.quickLoginCheckMilliSeconds(1000)
.waitIncrementSeconds(60)
.build())
.headers(RealmSecurityDefensesHeadersArgs.builder()
.contentSecurityPolicy("frame-src 'self'; frame-ancestors 'self'; object-src 'none';")
.contentSecurityPolicyReportOnly("")
.strictTransportSecurity("max-age=31536000; includeSubDomains")
.xContentTypeOptions("nosniff")
.xFrameOptions("DENY")
.xRobotsTag("none")
.xXssProtection("1; mode=block")
.build())
.build())
.smtpServer(RealmSmtpServerArgs.builder()
.auth(RealmSmtpServerAuthArgs.builder()
.password("password")
.username("tom")
.build())
.from("example@example.com")
.host("smtp.example.com")
.build())
.sslRequired("external")
.webAuthnPolicy(RealmWebAuthnPolicyArgs.builder()
.relyingPartyEntityName("Example")
.relyingPartyId("keycloak.example.com")
.signatureAlgorithms(
"ES256",
"RS256")
.build())
.build());
}
}
import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
access_code_lifespan="1h",
attributes={
"mycustomAttribute": "myCustomValue",
},
display_name="my realm",
display_name_html="<b>my realm</b>",
enabled=True,
internationalization=keycloak.RealmInternationalizationArgs(
default_locale="en",
supported_locales=[
"en",
"de",
"es",
],
),
login_theme="base",
password_policy="upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername",
realm="my-realm",
security_defenses=keycloak.RealmSecurityDefensesArgs(
brute_force_detection=keycloak.RealmSecurityDefensesBruteForceDetectionArgs(
failure_reset_time_seconds=43200,
max_failure_wait_seconds=900,
max_login_failures=30,
minimum_quick_login_wait_seconds=60,
permanent_lockout=False,
quick_login_check_milli_seconds=1000,
wait_increment_seconds=60,
),
headers=keycloak.RealmSecurityDefensesHeadersArgs(
content_security_policy="frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
content_security_policy_report_only="",
strict_transport_security="max-age=31536000; includeSubDomains",
x_content_type_options="nosniff",
x_frame_options="DENY",
x_robots_tag="none",
x_xss_protection="1; mode=block",
),
),
smtp_server=keycloak.RealmSmtpServerArgs(
auth=keycloak.RealmSmtpServerAuthArgs(
password="password",
username="tom",
),
from_="example@example.com",
host="smtp.example.com",
),
ssl_required="external",
web_authn_policy=keycloak.RealmWebAuthnPolicyArgs(
relying_party_entity_name="Example",
relying_party_id="keycloak.example.com",
signature_algorithms=[
"ES256",
"RS256",
],
))
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
accessCodeLifespan: "1h",
attributes: {
mycustomAttribute: "myCustomValue",
},
displayName: "my realm",
displayNameHtml: "<b>my realm</b>",
enabled: true,
internationalization: {
defaultLocale: "en",
supportedLocales: [
"en",
"de",
"es",
],
},
loginTheme: "base",
passwordPolicy: "upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername",
realm: "my-realm",
securityDefenses: {
bruteForceDetection: {
failureResetTimeSeconds: 43200,
maxFailureWaitSeconds: 900,
maxLoginFailures: 30,
minimumQuickLoginWaitSeconds: 60,
permanentLockout: false,
quickLoginCheckMilliSeconds: 1000,
waitIncrementSeconds: 60,
},
headers: {
contentSecurityPolicy: "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
contentSecurityPolicyReportOnly: "",
strictTransportSecurity: "max-age=31536000; includeSubDomains",
xContentTypeOptions: "nosniff",
xFrameOptions: "DENY",
xRobotsTag: "none",
xXssProtection: "1; mode=block",
},
},
smtpServer: {
auth: {
password: "password",
username: "tom",
},
from: "example@example.com",
host: "smtp.example.com",
},
sslRequired: "external",
webAuthnPolicy: {
relyingPartyEntityName: "Example",
relyingPartyId: "keycloak.example.com",
signatureAlgorithms: [
"ES256",
"RS256",
],
},
});
resources:
realm:
type: keycloak:Realm
properties:
accessCodeLifespan: 1h
attributes:
mycustomAttribute: myCustomValue
displayName: my realm
displayNameHtml: <b>my realm</b>
enabled: true
internationalization:
defaultLocale: en
supportedLocales:
- en
- de
- es
loginTheme: base
passwordPolicy: upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername
realm: my-realm
securityDefenses:
bruteForceDetection:
failureResetTimeSeconds: 43200
maxFailureWaitSeconds: 900
maxLoginFailures: 30
minimumQuickLoginWaitSeconds: 60
permanentLockout: false
quickLoginCheckMilliSeconds: 1000
waitIncrementSeconds: 60
headers:
contentSecurityPolicy: frame-src 'self'; frame-ancestors 'self'; object-src 'none';
contentSecurityPolicyReportOnly:
strictTransportSecurity: max-age=31536000; includeSubDomains
xContentTypeOptions: nosniff
xFrameOptions: DENY
xRobotsTag: none
xXssProtection: 1; mode=block
smtpServer:
auth:
password: password
username: tom
from: example@example.com
host: smtp.example.com
sslRequired: external
webAuthnPolicy:
relyingPartyEntityName: Example
relyingPartyId: keycloak.example.com
signatureAlgorithms:
- ES256
- RS256
Create Realm Resource
new Realm(name: string, args: RealmArgs, opts?: CustomResourceOptions);
@overload
def Realm(resource_name: str,
opts: Optional[ResourceOptions] = None,
access_code_lifespan: Optional[str] = None,
access_code_lifespan_login: Optional[str] = None,
access_code_lifespan_user_action: Optional[str] = None,
access_token_lifespan: Optional[str] = None,
access_token_lifespan_for_implicit_flow: Optional[str] = None,
account_theme: Optional[str] = None,
action_token_generated_by_admin_lifespan: Optional[str] = None,
action_token_generated_by_user_lifespan: Optional[str] = None,
admin_theme: Optional[str] = None,
attributes: Optional[Mapping[str, Any]] = None,
browser_flow: Optional[str] = None,
client_authentication_flow: Optional[str] = None,
client_session_idle_timeout: Optional[str] = None,
client_session_max_lifespan: Optional[str] = None,
default_default_client_scopes: Optional[Sequence[str]] = None,
default_optional_client_scopes: Optional[Sequence[str]] = None,
default_signature_algorithm: Optional[str] = None,
direct_grant_flow: Optional[str] = None,
display_name: Optional[str] = None,
display_name_html: Optional[str] = None,
docker_authentication_flow: Optional[str] = None,
duplicate_emails_allowed: Optional[bool] = None,
edit_username_allowed: Optional[bool] = None,
email_theme: Optional[str] = None,
enabled: Optional[bool] = None,
internal_id: Optional[str] = None,
internationalization: Optional[RealmInternationalizationArgs] = None,
login_theme: Optional[str] = None,
login_with_email_allowed: Optional[bool] = None,
oauth2_device_code_lifespan: Optional[str] = None,
oauth2_device_polling_interval: Optional[int] = None,
offline_session_idle_timeout: Optional[str] = None,
offline_session_max_lifespan: Optional[str] = None,
offline_session_max_lifespan_enabled: Optional[bool] = None,
otp_policy: Optional[RealmOtpPolicyArgs] = None,
password_policy: Optional[str] = None,
realm: Optional[str] = None,
refresh_token_max_reuse: Optional[int] = None,
registration_allowed: Optional[bool] = None,
registration_email_as_username: Optional[bool] = None,
registration_flow: Optional[str] = None,
remember_me: Optional[bool] = None,
reset_credentials_flow: Optional[str] = None,
reset_password_allowed: Optional[bool] = None,
revoke_refresh_token: Optional[bool] = None,
security_defenses: Optional[RealmSecurityDefensesArgs] = None,
smtp_server: Optional[RealmSmtpServerArgs] = None,
ssl_required: Optional[str] = None,
sso_session_idle_timeout: Optional[str] = None,
sso_session_idle_timeout_remember_me: Optional[str] = None,
sso_session_max_lifespan: Optional[str] = None,
sso_session_max_lifespan_remember_me: Optional[str] = None,
user_managed_access: Optional[bool] = None,
verify_email: Optional[bool] = None,
web_authn_passwordless_policy: Optional[RealmWebAuthnPasswordlessPolicyArgs] = None,
web_authn_policy: Optional[RealmWebAuthnPolicyArgs] = None)
@overload
def Realm(resource_name: str,
args: RealmArgs,
opts: Optional[ResourceOptions] = None)
func NewRealm(ctx *Context, name string, args RealmArgs, opts ...ResourceOption) (*Realm, error)
public Realm(string name, RealmArgs args, CustomResourceOptions? opts = null)
type: keycloak:Realm
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args RealmArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args RealmArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args RealmArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args RealmArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args RealmArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Realm Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The Realm resource accepts the following input properties:
- Realm
Name string The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.
- Access
Code stringLifespan The maximum amount of time a client has to finish the authorization code flow.
- Access
Code stringLifespan Login The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
- Access
Code stringLifespan User Action The maximum amount of time a user has to complete login related actions, such as updating a password.
- Access
Token stringLifespan The amount of time an access token can be used before it expires.
- Access
Token stringLifespan For Implicit Flow The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
- Account
Theme string Used for account management pages.
- Action
Token stringGenerated By Admin Lifespan The maximum time a user has to use an admin-generated permit before it expires.
- Action
Token stringGenerated By User Lifespan The maximum time a user has to use a user-generated permit before it expires.
- Admin
Theme string Used for the admin console.
- Attributes Dictionary<string, object>
A map of custom attributes to add to the realm.
- Browser
Flow string The desired flow for browser authentication. Defaults to
browser
.- Client
Authentication stringFlow The desired flow for client authentication. Defaults to
clients
.- Client
Session stringIdle Timeout The amount of time a session can be idle before it expires. Users can override it for individual clients.
- Client
Session stringMax Lifespan The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.
- Default
Default List<string>Client Scopes - Default
Optional List<string>Client Scopes - Default
Signature stringAlgorithm Default algorithm used to sign tokens for the realm.
- Direct
Grant stringFlow The desired flow for direct access authentication. Defaults to
direct grant
.- Display
Name string The display name for the realm that is shown when logging in to the admin console.
- Display
Name stringHtml The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
- Docker
Authentication stringFlow The desired flow for Docker authentication. Defaults to
docker auth
.- Duplicate
Emails boolAllowed When true, multiple users will be allowed to have the same email address. This argument must be set to
false
iflogin_with_email_allowed
is set totrue
.- Edit
Username boolAllowed When true, the username field is editable.
- Email
Theme string Used for emails that are sent by Keycloak.
- Enabled bool
When
false
, users and clients will not be able to access this realm. Defaults totrue
.- Internal
Id string When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name.
- Internationalization
Realm
Internationalization - Login
Theme string Used for the login, forgot password, and registration pages.
- Login
With boolEmail Allowed When true, users may log in with their email address.
- Oauth2Device
Code stringLifespan The maximum amount of time a client has to finish the device code flow before it expires.
The attributes below should be specified in seconds.
- Oauth2Device
Polling intInterval The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
- Offline
Session stringIdle Timeout The amount of time an offline session can be idle before it expires.
- Offline
Session stringMax Lifespan The maximum amount of time before an offline session expires regardless of activity.
- Offline
Session boolMax Lifespan Enabled Enable
offline_session_max_lifespan
.- Otp
Policy RealmOtp Policy - Password
Policy string The password policy for users within the realm.
The arguments below can be used to configure authentication flow bindings:
- Refresh
Token intMax Reuse Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.
The arguments below should be specified as Go duration strings. They will default to Keycloak's default settings.
- Registration
Allowed bool When true, user registration will be enabled, and a link for registration will be displayed on the login page.
- Registration
Email boolAs Username When true, the user's email will be used as their username during registration.
- Registration
Flow string The desired flow for user registration. Defaults to
registration
.- Remember
Me bool When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.
- Reset
Credentials stringFlow The desired flow to use when a user attempts to reset their credentials. Defaults to
reset credentials
.- Reset
Password boolAllowed When true, a "forgot password" link will be displayed on the login page.
- Revoke
Refresh boolToken If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.
- Security
Defenses RealmSecurity Defenses - Smtp
Server RealmSmtp Server - Ssl
Required string Can be one of following values: 'none, 'external' or 'all'
- Sso
Session stringIdle Timeout The amount of time a session can be idle before it expires.
- Sso
Session stringIdle Timeout Remember Me Similar to
sso_session_idle_timeout
, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value ofsso_session_idle_timeout
.- Sso
Session stringMax Lifespan The maximum amount of time before a session expires regardless of activity.
- Sso
Session stringMax Lifespan Remember Me Similar to
sso_session_max_lifespan
, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value ofsso_session_max_lifespan
.- User
Managed boolAccess When
true
, users are allowed to manage their own resources. Defaults tofalse
.- Verify
Email bool When true, users are required to verify their email address after registration and after email address changes.
- Web
Authn RealmPasswordless Policy Web Authn Passwordless Policy Configuration for WebAuthn Passwordless Policy authentication.
Each of these attributes are blocks with the following attributes:
- Web
Authn RealmPolicy Web Authn Policy Configuration for WebAuthn Policy authentication.
- Realm string
The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.
- Access
Code stringLifespan The maximum amount of time a client has to finish the authorization code flow.
- Access
Code stringLifespan Login The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
- Access
Code stringLifespan User Action The maximum amount of time a user has to complete login related actions, such as updating a password.
- Access
Token stringLifespan The amount of time an access token can be used before it expires.
- Access
Token stringLifespan For Implicit Flow The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
- Account
Theme string Used for account management pages.
- Action
Token stringGenerated By Admin Lifespan The maximum time a user has to use an admin-generated permit before it expires.
- Action
Token stringGenerated By User Lifespan The maximum time a user has to use a user-generated permit before it expires.
- Admin
Theme string Used for the admin console.
- Attributes map[string]interface{}
A map of custom attributes to add to the realm.
- Browser
Flow string The desired flow for browser authentication. Defaults to
browser
.- Client
Authentication stringFlow The desired flow for client authentication. Defaults to
clients
.- Client
Session stringIdle Timeout The amount of time a session can be idle before it expires. Users can override it for individual clients.
- Client
Session stringMax Lifespan The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.
- Default
Default []stringClient Scopes - Default
Optional []stringClient Scopes - Default
Signature stringAlgorithm Default algorithm used to sign tokens for the realm.
- Direct
Grant stringFlow The desired flow for direct access authentication. Defaults to
direct grant
.- Display
Name string The display name for the realm that is shown when logging in to the admin console.
- Display
Name stringHtml The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
- Docker
Authentication stringFlow The desired flow for Docker authentication. Defaults to
docker auth
.- Duplicate
Emails boolAllowed When true, multiple users will be allowed to have the same email address. This argument must be set to
false
iflogin_with_email_allowed
is set totrue
.- Edit
Username boolAllowed When true, the username field is editable.
- Email
Theme string Used for emails that are sent by Keycloak.
- Enabled bool
When
false
, users and clients will not be able to access this realm. Defaults totrue
.- Internal
Id string When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name.
- Internationalization
Realm
Internationalization Args - Login
Theme string Used for the login, forgot password, and registration pages.
- Login
With boolEmail Allowed When true, users may log in with their email address.
- Oauth2Device
Code stringLifespan The maximum amount of time a client has to finish the device code flow before it expires.
The attributes below should be specified in seconds.
- Oauth2Device
Polling intInterval The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
- Offline
Session stringIdle Timeout The amount of time an offline session can be idle before it expires.
- Offline
Session stringMax Lifespan The maximum amount of time before an offline session expires regardless of activity.
- Offline
Session boolMax Lifespan Enabled Enable
offline_session_max_lifespan
.- Otp
Policy RealmOtp Policy Args - Password
Policy string The password policy for users within the realm.
The arguments below can be used to configure authentication flow bindings:
- Refresh
Token intMax Reuse Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.
The arguments below should be specified as Go duration strings. They will default to Keycloak's default settings.
- Registration
Allowed bool When true, user registration will be enabled, and a link for registration will be displayed on the login page.
- Registration
Email boolAs Username When true, the user's email will be used as their username during registration.
- Registration
Flow string The desired flow for user registration. Defaults to
registration
.- Remember
Me bool When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.
- Reset
Credentials stringFlow The desired flow to use when a user attempts to reset their credentials. Defaults to
reset credentials
.- Reset
Password boolAllowed When true, a "forgot password" link will be displayed on the login page.
- Revoke
Refresh boolToken If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.
- Security
Defenses RealmSecurity Defenses Args - Smtp
Server RealmSmtp Server Args - Ssl
Required string Can be one of following values: 'none, 'external' or 'all'
- Sso
Session stringIdle Timeout The amount of time a session can be idle before it expires.
- Sso
Session stringIdle Timeout Remember Me Similar to
sso_session_idle_timeout
, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value ofsso_session_idle_timeout
.- Sso
Session stringMax Lifespan The maximum amount of time before a session expires regardless of activity.
- Sso
Session stringMax Lifespan Remember Me Similar to
sso_session_max_lifespan
, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value ofsso_session_max_lifespan
.- User
Managed boolAccess When
true
, users are allowed to manage their own resources. Defaults tofalse
.- Verify
Email bool When true, users are required to verify their email address after registration and after email address changes.
- Web
Authn RealmPasswordless Policy Web Authn Passwordless Policy Args Configuration for WebAuthn Passwordless Policy authentication.
Each of these attributes are blocks with the following attributes:
- Web
Authn RealmPolicy Web Authn Policy Args Configuration for WebAuthn Policy authentication.
- realm String
The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.
- access
Code StringLifespan The maximum amount of time a client has to finish the authorization code flow.
- access
Code StringLifespan Login The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
- access
Code StringLifespan User Action The maximum amount of time a user has to complete login related actions, such as updating a password.
- access
Token StringLifespan The amount of time an access token can be used before it expires.
- access
Token StringLifespan For Implicit Flow The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
- account
Theme String Used for account management pages.
- action
Token StringGenerated By Admin Lifespan The maximum time a user has to use an admin-generated permit before it expires.
- action
Token StringGenerated By User Lifespan The maximum time a user has to use a user-generated permit before it expires.
- admin
Theme String Used for the admin console.
- attributes Map<String,Object>
A map of custom attributes to add to the realm.
- browser
Flow String The desired flow for browser authentication. Defaults to
browser
.- client
Authentication StringFlow The desired flow for client authentication. Defaults to
clients
.- client
Session StringIdle Timeout The amount of time a session can be idle before it expires. Users can override it for individual clients.
- client
Session StringMax Lifespan The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.
- default
Default List<String>Client Scopes - default
Optional List<String>Client Scopes - default
Signature StringAlgorithm Default algorithm used to sign tokens for the realm.
- direct
Grant StringFlow The desired flow for direct access authentication. Defaults to
direct grant
.- display
Name String The display name for the realm that is shown when logging in to the admin console.
- display
Name StringHtml The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
- docker
Authentication StringFlow The desired flow for Docker authentication. Defaults to
docker auth
.- duplicate
Emails BooleanAllowed When true, multiple users will be allowed to have the same email address. This argument must be set to
false
iflogin_with_email_allowed
is set totrue
.- edit
Username BooleanAllowed When true, the username field is editable.
- email
Theme String Used for emails that are sent by Keycloak.
- enabled Boolean
When
false
, users and clients will not be able to access this realm. Defaults totrue
.- internal
Id String When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name.
- internationalization
Realm
Internationalization - login
Theme String Used for the login, forgot password, and registration pages.
- login
With BooleanEmail Allowed When true, users may log in with their email address.
- oauth2Device
Code StringLifespan The maximum amount of time a client has to finish the device code flow before it expires.
The attributes below should be specified in seconds.
- oauth2Device
Polling IntegerInterval The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
- offline
Session StringIdle Timeout The amount of time an offline session can be idle before it expires.
- offline
Session StringMax Lifespan The maximum amount of time before an offline session expires regardless of activity.
- offline
Session BooleanMax Lifespan Enabled Enable
offline_session_max_lifespan
.- otp
Policy RealmOtp Policy - password
Policy String The password policy for users within the realm.
The arguments below can be used to configure authentication flow bindings:
- refresh
Token IntegerMax Reuse Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.
The arguments below should be specified as Go duration strings. They will default to Keycloak's default settings.
- registration
Allowed Boolean When true, user registration will be enabled, and a link for registration will be displayed on the login page.
- registration
Email BooleanAs Username When true, the user's email will be used as their username during registration.
- registration
Flow String The desired flow for user registration. Defaults to
registration
.- remember
Me Boolean When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.
- reset
Credentials StringFlow The desired flow to use when a user attempts to reset their credentials. Defaults to
reset credentials
.- reset
Password BooleanAllowed When true, a "forgot password" link will be displayed on the login page.
- revoke
Refresh BooleanToken If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.
- security
Defenses RealmSecurity Defenses - smtp
Server RealmSmtp Server - ssl
Required String Can be one of following values: 'none, 'external' or 'all'
- sso
Session StringIdle Timeout The amount of time a session can be idle before it expires.
- sso
Session StringIdle Timeout Remember Me Similar to
sso_session_idle_timeout
, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value ofsso_session_idle_timeout
.- sso
Session StringMax Lifespan The maximum amount of time before a session expires regardless of activity.
- sso
Session StringMax Lifespan Remember Me Similar to
sso_session_max_lifespan
, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value ofsso_session_max_lifespan
.- user
Managed BooleanAccess When
true
, users are allowed to manage their own resources. Defaults tofalse
.- verify
Email Boolean When true, users are required to verify their email address after registration and after email address changes.
- web
Authn RealmPasswordless Policy Web Authn Passwordless Policy Configuration for WebAuthn Passwordless Policy authentication.
Each of these attributes are blocks with the following attributes:
- web
Authn RealmPolicy Web Authn Policy Configuration for WebAuthn Policy authentication.
- realm string
The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.
- access
Code stringLifespan The maximum amount of time a client has to finish the authorization code flow.
- access
Code stringLifespan Login The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
- access
Code stringLifespan User Action The maximum amount of time a user has to complete login related actions, such as updating a password.
- access
Token stringLifespan The amount of time an access token can be used before it expires.
- access
Token stringLifespan For Implicit Flow The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
- account
Theme string Used for account management pages.
- action
Token stringGenerated By Admin Lifespan The maximum time a user has to use an admin-generated permit before it expires.
- action
Token stringGenerated By User Lifespan The maximum time a user has to use a user-generated permit before it expires.
- admin
Theme string Used for the admin console.
- attributes {[key: string]: any}
A map of custom attributes to add to the realm.
- browser
Flow string The desired flow for browser authentication. Defaults to
browser
.- client
Authentication stringFlow The desired flow for client authentication. Defaults to
clients
.- client
Session stringIdle Timeout The amount of time a session can be idle before it expires. Users can override it for individual clients.
- client
Session stringMax Lifespan The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.
- default
Default string[]Client Scopes - default
Optional string[]Client Scopes - default
Signature stringAlgorithm Default algorithm used to sign tokens for the realm.
- direct
Grant stringFlow The desired flow for direct access authentication. Defaults to
direct grant
.- display
Name string The display name for the realm that is shown when logging in to the admin console.
- display
Name stringHtml The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
- docker
Authentication stringFlow The desired flow for Docker authentication. Defaults to
docker auth
.- duplicate
Emails booleanAllowed When true, multiple users will be allowed to have the same email address. This argument must be set to
false
iflogin_with_email_allowed
is set totrue
.- edit
Username booleanAllowed When true, the username field is editable.
- email
Theme string Used for emails that are sent by Keycloak.
- enabled boolean
When
false
, users and clients will not be able to access this realm. Defaults totrue
.- internal
Id string When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name.
- internationalization
Realm
Internationalization - login
Theme string Used for the login, forgot password, and registration pages.
- login
With booleanEmail Allowed When true, users may log in with their email address.
- oauth2Device
Code stringLifespan The maximum amount of time a client has to finish the device code flow before it expires.
The attributes below should be specified in seconds.
- oauth2Device
Polling numberInterval The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
- offline
Session stringIdle Timeout The amount of time an offline session can be idle before it expires.
- offline
Session stringMax Lifespan The maximum amount of time before an offline session expires regardless of activity.
- offline
Session booleanMax Lifespan Enabled Enable
offline_session_max_lifespan
.- otp
Policy RealmOtp Policy - password
Policy string The password policy for users within the realm.
The arguments below can be used to configure authentication flow bindings:
- refresh
Token numberMax Reuse Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.
The arguments below should be specified as Go duration strings. They will default to Keycloak's default settings.
- registration
Allowed boolean When true, user registration will be enabled, and a link for registration will be displayed on the login page.
- registration
Email booleanAs Username When true, the user's email will be used as their username during registration.
- registration
Flow string The desired flow for user registration. Defaults to
registration
.- remember
Me boolean When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.
- reset
Credentials stringFlow The desired flow to use when a user attempts to reset their credentials. Defaults to
reset credentials
.- reset
Password booleanAllowed When true, a "forgot password" link will be displayed on the login page.
- revoke
Refresh booleanToken If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.
- security
Defenses RealmSecurity Defenses - smtp
Server RealmSmtp Server - ssl
Required string Can be one of following values: 'none, 'external' or 'all'
- sso
Session stringIdle Timeout The amount of time a session can be idle before it expires.
- sso
Session stringIdle Timeout Remember Me Similar to
sso_session_idle_timeout
, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value ofsso_session_idle_timeout
.- sso
Session stringMax Lifespan The maximum amount of time before a session expires regardless of activity.
- sso
Session stringMax Lifespan Remember Me Similar to
sso_session_max_lifespan
, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value ofsso_session_max_lifespan
.- user
Managed booleanAccess When
true
, users are allowed to manage their own resources. Defaults tofalse
.- verify
Email boolean When true, users are required to verify their email address after registration and after email address changes.
- web
Authn RealmPasswordless Policy Web Authn Passwordless Policy Configuration for WebAuthn Passwordless Policy authentication.
Each of these attributes are blocks with the following attributes:
- web
Authn RealmPolicy Web Authn Policy Configuration for WebAuthn Policy authentication.
- realm str
The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.
- access_
code_ strlifespan The maximum amount of time a client has to finish the authorization code flow.
- access_
code_ strlifespan_ login The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
- access_
code_ strlifespan_ user_ action The maximum amount of time a user has to complete login related actions, such as updating a password.
- access_
token_ strlifespan The amount of time an access token can be used before it expires.
- access_
token_ strlifespan_ for_ implicit_ flow The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
- account_
theme str Used for account management pages.
- action_
token_ strgenerated_ by_ admin_ lifespan The maximum time a user has to use an admin-generated permit before it expires.
- action_
token_ strgenerated_ by_ user_ lifespan The maximum time a user has to use a user-generated permit before it expires.
- admin_
theme str Used for the admin console.
- attributes Mapping[str, Any]
A map of custom attributes to add to the realm.
- browser_
flow str The desired flow for browser authentication. Defaults to
browser
.- client_
authentication_ strflow The desired flow for client authentication. Defaults to
clients
.- client_
session_ stridle_ timeout The amount of time a session can be idle before it expires. Users can override it for individual clients.
- client_
session_ strmax_ lifespan The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.
- default_
default_ Sequence[str]client_ scopes - default_
optional_ Sequence[str]client_ scopes - default_
signature_ stralgorithm Default algorithm used to sign tokens for the realm.
- direct_
grant_ strflow The desired flow for direct access authentication. Defaults to
direct grant
.- display_
name str The display name for the realm that is shown when logging in to the admin console.
- display_
name_ strhtml The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
- docker_
authentication_ strflow The desired flow for Docker authentication. Defaults to
docker auth
.- duplicate_
emails_ boolallowed When true, multiple users will be allowed to have the same email address. This argument must be set to
false
iflogin_with_email_allowed
is set totrue
.- edit_
username_ boolallowed When true, the username field is editable.
- email_
theme str Used for emails that are sent by Keycloak.
- enabled bool
When
false
, users and clients will not be able to access this realm. Defaults totrue
.- internal_
id str When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name.
- internationalization
Realm
Internationalization Args - login_
theme str Used for the login, forgot password, and registration pages.
- login_
with_ boolemail_ allowed When true, users may log in with their email address.
- oauth2_
device_ strcode_ lifespan The maximum amount of time a client has to finish the device code flow before it expires.
The attributes below should be specified in seconds.
- oauth2_
device_ intpolling_ interval The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
- offline_
session_ stridle_ timeout The amount of time an offline session can be idle before it expires.
- offline_
session_ strmax_ lifespan The maximum amount of time before an offline session expires regardless of activity.
- offline_
session_ boolmax_ lifespan_ enabled Enable
offline_session_max_lifespan
.- otp_
policy RealmOtp Policy Args - password_
policy str The password policy for users within the realm.
The arguments below can be used to configure authentication flow bindings:
- refresh_
token_ intmax_ reuse Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.
The arguments below should be specified as Go duration strings. They will default to Keycloak's default settings.
- registration_
allowed bool When true, user registration will be enabled, and a link for registration will be displayed on the login page.
- registration_
email_ boolas_ username When true, the user's email will be used as their username during registration.
- registration_
flow str The desired flow for user registration. Defaults to
registration
.- remember_
me bool When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.
- reset_
credentials_ strflow The desired flow to use when a user attempts to reset their credentials. Defaults to
reset credentials
.- reset_
password_ boolallowed When true, a "forgot password" link will be displayed on the login page.
- revoke_
refresh_ booltoken If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.
- security_
defenses RealmSecurity Defenses Args - smtp_
server RealmSmtp Server Args - ssl_
required str Can be one of following values: 'none, 'external' or 'all'
- sso_
session_ stridle_ timeout The amount of time a session can be idle before it expires.
- sso_
session_ stridle_ timeout_ remember_ me Similar to
sso_session_idle_timeout
, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value ofsso_session_idle_timeout
.- sso_
session_ strmax_ lifespan The maximum amount of time before a session expires regardless of activity.
- sso_
session_ strmax_ lifespan_ remember_ me Similar to
sso_session_max_lifespan
, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value ofsso_session_max_lifespan
.- user_
managed_ boolaccess When
true
, users are allowed to manage their own resources. Defaults tofalse
.- verify_
email bool When true, users are required to verify their email address after registration and after email address changes.
- web_
authn_ Realmpasswordless_ policy Web Authn Passwordless Policy Args Configuration for WebAuthn Passwordless Policy authentication.
Each of these attributes are blocks with the following attributes:
- web_
authn_ Realmpolicy Web Authn Policy Args Configuration for WebAuthn Policy authentication.
- realm String
The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.
- access
Code StringLifespan The maximum amount of time a client has to finish the authorization code flow.
- access
Code StringLifespan Login The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
- access
Code StringLifespan User Action The maximum amount of time a user has to complete login related actions, such as updating a password.
- access
Token StringLifespan The amount of time an access token can be used before it expires.
- access
Token StringLifespan For Implicit Flow The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
- account
Theme String Used for account management pages.
- action
Token StringGenerated By Admin Lifespan The maximum time a user has to use an admin-generated permit before it expires.
- action
Token StringGenerated By User Lifespan The maximum time a user has to use a user-generated permit before it expires.
- admin
Theme String Used for the admin console.
- attributes Map<Any>
A map of custom attributes to add to the realm.
- browser
Flow String The desired flow for browser authentication. Defaults to
browser
.- client
Authentication StringFlow The desired flow for client authentication. Defaults to
clients
.- client
Session StringIdle Timeout The amount of time a session can be idle before it expires. Users can override it for individual clients.
- client
Session StringMax Lifespan The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.
- default
Default List<String>Client Scopes - default
Optional List<String>Client Scopes - default
Signature StringAlgorithm Default algorithm used to sign tokens for the realm.
- direct
Grant StringFlow The desired flow for direct access authentication. Defaults to
direct grant
.- display
Name String The display name for the realm that is shown when logging in to the admin console.
- display
Name StringHtml The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
- docker
Authentication StringFlow The desired flow for Docker authentication. Defaults to
docker auth
.- duplicate
Emails BooleanAllowed When true, multiple users will be allowed to have the same email address. This argument must be set to
false
iflogin_with_email_allowed
is set totrue
.- edit
Username BooleanAllowed When true, the username field is editable.
- email
Theme String Used for emails that are sent by Keycloak.
- enabled Boolean
When
false
, users and clients will not be able to access this realm. Defaults totrue
.- internal
Id String When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name.
- internationalization Property Map
- login
Theme String Used for the login, forgot password, and registration pages.
- login
With BooleanEmail Allowed When true, users may log in with their email address.
- oauth2Device
Code StringLifespan The maximum amount of time a client has to finish the device code flow before it expires.
The attributes below should be specified in seconds.
- oauth2Device
Polling NumberInterval The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
- offline
Session StringIdle Timeout The amount of time an offline session can be idle before it expires.
- offline
Session StringMax Lifespan The maximum amount of time before an offline session expires regardless of activity.
- offline
Session BooleanMax Lifespan Enabled Enable
offline_session_max_lifespan
.- otp
Policy Property Map - password
Policy String The password policy for users within the realm.
The arguments below can be used to configure authentication flow bindings:
- refresh
Token NumberMax Reuse Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.
The arguments below should be specified as Go duration strings. They will default to Keycloak's default settings.
- registration
Allowed Boolean When true, user registration will be enabled, and a link for registration will be displayed on the login page.
- registration
Email BooleanAs Username When true, the user's email will be used as their username during registration.
- registration
Flow String The desired flow for user registration. Defaults to
registration
.- remember
Me Boolean When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.
- reset
Credentials StringFlow The desired flow to use when a user attempts to reset their credentials. Defaults to
reset credentials
.- reset
Password BooleanAllowed When true, a "forgot password" link will be displayed on the login page.
- revoke
Refresh BooleanToken If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.
- security
Defenses Property Map - smtp
Server Property Map - ssl
Required String Can be one of following values: 'none, 'external' or 'all'
- sso
Session StringIdle Timeout The amount of time a session can be idle before it expires.
- sso
Session StringIdle Timeout Remember Me Similar to
sso_session_idle_timeout
, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value ofsso_session_idle_timeout
.- sso
Session StringMax Lifespan The maximum amount of time before a session expires regardless of activity.
- sso
Session StringMax Lifespan Remember Me Similar to
sso_session_max_lifespan
, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value ofsso_session_max_lifespan
.- user
Managed BooleanAccess When
true
, users are allowed to manage their own resources. Defaults tofalse
.- verify
Email Boolean When true, users are required to verify their email address after registration and after email address changes.
- web
Authn Property MapPasswordless Policy Configuration for WebAuthn Passwordless Policy authentication.
Each of these attributes are blocks with the following attributes:
- web
Authn Property MapPolicy Configuration for WebAuthn Policy authentication.
Outputs
All input properties are implicitly available as output properties. Additionally, the Realm resource produces the following output properties:
- Id string
The provider-assigned unique ID for this managed resource.
- Id string
The provider-assigned unique ID for this managed resource.
- id String
The provider-assigned unique ID for this managed resource.
- id string
The provider-assigned unique ID for this managed resource.
- id str
The provider-assigned unique ID for this managed resource.
- id String
The provider-assigned unique ID for this managed resource.
Look up Existing Realm Resource
Get an existing Realm resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: RealmState, opts?: CustomResourceOptions): Realm
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
access_code_lifespan: Optional[str] = None,
access_code_lifespan_login: Optional[str] = None,
access_code_lifespan_user_action: Optional[str] = None,
access_token_lifespan: Optional[str] = None,
access_token_lifespan_for_implicit_flow: Optional[str] = None,
account_theme: Optional[str] = None,
action_token_generated_by_admin_lifespan: Optional[str] = None,
action_token_generated_by_user_lifespan: Optional[str] = None,
admin_theme: Optional[str] = None,
attributes: Optional[Mapping[str, Any]] = None,
browser_flow: Optional[str] = None,
client_authentication_flow: Optional[str] = None,
client_session_idle_timeout: Optional[str] = None,
client_session_max_lifespan: Optional[str] = None,
default_default_client_scopes: Optional[Sequence[str]] = None,
default_optional_client_scopes: Optional[Sequence[str]] = None,
default_signature_algorithm: Optional[str] = None,
direct_grant_flow: Optional[str] = None,
display_name: Optional[str] = None,
display_name_html: Optional[str] = None,
docker_authentication_flow: Optional[str] = None,
duplicate_emails_allowed: Optional[bool] = None,
edit_username_allowed: Optional[bool] = None,
email_theme: Optional[str] = None,
enabled: Optional[bool] = None,
internal_id: Optional[str] = None,
internationalization: Optional[RealmInternationalizationArgs] = None,
login_theme: Optional[str] = None,
login_with_email_allowed: Optional[bool] = None,
oauth2_device_code_lifespan: Optional[str] = None,
oauth2_device_polling_interval: Optional[int] = None,
offline_session_idle_timeout: Optional[str] = None,
offline_session_max_lifespan: Optional[str] = None,
offline_session_max_lifespan_enabled: Optional[bool] = None,
otp_policy: Optional[RealmOtpPolicyArgs] = None,
password_policy: Optional[str] = None,
realm: Optional[str] = None,
refresh_token_max_reuse: Optional[int] = None,
registration_allowed: Optional[bool] = None,
registration_email_as_username: Optional[bool] = None,
registration_flow: Optional[str] = None,
remember_me: Optional[bool] = None,
reset_credentials_flow: Optional[str] = None,
reset_password_allowed: Optional[bool] = None,
revoke_refresh_token: Optional[bool] = None,
security_defenses: Optional[RealmSecurityDefensesArgs] = None,
smtp_server: Optional[RealmSmtpServerArgs] = None,
ssl_required: Optional[str] = None,
sso_session_idle_timeout: Optional[str] = None,
sso_session_idle_timeout_remember_me: Optional[str] = None,
sso_session_max_lifespan: Optional[str] = None,
sso_session_max_lifespan_remember_me: Optional[str] = None,
user_managed_access: Optional[bool] = None,
verify_email: Optional[bool] = None,
web_authn_passwordless_policy: Optional[RealmWebAuthnPasswordlessPolicyArgs] = None,
web_authn_policy: Optional[RealmWebAuthnPolicyArgs] = None) -> Realm
func GetRealm(ctx *Context, name string, id IDInput, state *RealmState, opts ...ResourceOption) (*Realm, error)
public static Realm Get(string name, Input<string> id, RealmState? state, CustomResourceOptions? opts = null)
public static Realm get(String name, Output<String> id, RealmState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Access
Code stringLifespan The maximum amount of time a client has to finish the authorization code flow.
- Access
Code stringLifespan Login The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
- Access
Code stringLifespan User Action The maximum amount of time a user has to complete login related actions, such as updating a password.
- Access
Token stringLifespan The amount of time an access token can be used before it expires.
- Access
Token stringLifespan For Implicit Flow The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
- Account
Theme string Used for account management pages.
- Action
Token stringGenerated By Admin Lifespan The maximum time a user has to use an admin-generated permit before it expires.
- Action
Token stringGenerated By User Lifespan The maximum time a user has to use a user-generated permit before it expires.
- Admin
Theme string Used for the admin console.
- Attributes Dictionary<string, object>
A map of custom attributes to add to the realm.
- Browser
Flow string The desired flow for browser authentication. Defaults to
browser
.- Client
Authentication stringFlow The desired flow for client authentication. Defaults to
clients
.- Client
Session stringIdle Timeout The amount of time a session can be idle before it expires. Users can override it for individual clients.
- Client
Session stringMax Lifespan The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.
- Default
Default List<string>Client Scopes - Default
Optional List<string>Client Scopes - Default
Signature stringAlgorithm Default algorithm used to sign tokens for the realm.
- Direct
Grant stringFlow The desired flow for direct access authentication. Defaults to
direct grant
.- Display
Name string The display name for the realm that is shown when logging in to the admin console.
- Display
Name stringHtml The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
- Docker
Authentication stringFlow The desired flow for Docker authentication. Defaults to
docker auth
.- Duplicate
Emails boolAllowed When true, multiple users will be allowed to have the same email address. This argument must be set to
false
iflogin_with_email_allowed
is set totrue
.- Edit
Username boolAllowed When true, the username field is editable.
- Email
Theme string Used for emails that are sent by Keycloak.
- Enabled bool
When
false
, users and clients will not be able to access this realm. Defaults totrue
.- Internal
Id string When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name.
- Internationalization
Realm
Internationalization - Login
Theme string Used for the login, forgot password, and registration pages.
- Login
With boolEmail Allowed When true, users may log in with their email address.
- Oauth2Device
Code stringLifespan The maximum amount of time a client has to finish the device code flow before it expires.
The attributes below should be specified in seconds.
- Oauth2Device
Polling intInterval The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
- Offline
Session stringIdle Timeout The amount of time an offline session can be idle before it expires.
- Offline
Session stringMax Lifespan The maximum amount of time before an offline session expires regardless of activity.
- Offline
Session boolMax Lifespan Enabled Enable
offline_session_max_lifespan
.- Otp
Policy RealmOtp Policy - Password
Policy string The password policy for users within the realm.
The arguments below can be used to configure authentication flow bindings:
- Realm
Name string The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.
- Refresh
Token intMax Reuse Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.
The arguments below should be specified as Go duration strings. They will default to Keycloak's default settings.
- Registration
Allowed bool When true, user registration will be enabled, and a link for registration will be displayed on the login page.
- Registration
Email boolAs Username When true, the user's email will be used as their username during registration.
- Registration
Flow string The desired flow for user registration. Defaults to
registration
.- Remember
Me bool When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.
- Reset
Credentials stringFlow The desired flow to use when a user attempts to reset their credentials. Defaults to
reset credentials
.- Reset
Password boolAllowed When true, a "forgot password" link will be displayed on the login page.
- Revoke
Refresh boolToken If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.
- Security
Defenses RealmSecurity Defenses - Smtp
Server RealmSmtp Server - Ssl
Required string Can be one of following values: 'none, 'external' or 'all'
- Sso
Session stringIdle Timeout The amount of time a session can be idle before it expires.
- Sso
Session stringIdle Timeout Remember Me Similar to
sso_session_idle_timeout
, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value ofsso_session_idle_timeout
.- Sso
Session stringMax Lifespan The maximum amount of time before a session expires regardless of activity.
- Sso
Session stringMax Lifespan Remember Me Similar to
sso_session_max_lifespan
, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value ofsso_session_max_lifespan
.- User
Managed boolAccess When
true
, users are allowed to manage their own resources. Defaults tofalse
.- Verify
Email bool When true, users are required to verify their email address after registration and after email address changes.
- Web
Authn RealmPasswordless Policy Web Authn Passwordless Policy Configuration for WebAuthn Passwordless Policy authentication.
Each of these attributes are blocks with the following attributes:
- Web
Authn RealmPolicy Web Authn Policy Configuration for WebAuthn Policy authentication.
- Access
Code stringLifespan The maximum amount of time a client has to finish the authorization code flow.
- Access
Code stringLifespan Login The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
- Access
Code stringLifespan User Action The maximum amount of time a user has to complete login related actions, such as updating a password.
- Access
Token stringLifespan The amount of time an access token can be used before it expires.
- Access
Token stringLifespan For Implicit Flow The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
- Account
Theme string Used for account management pages.
- Action
Token stringGenerated By Admin Lifespan The maximum time a user has to use an admin-generated permit before it expires.
- Action
Token stringGenerated By User Lifespan The maximum time a user has to use a user-generated permit before it expires.
- Admin
Theme string Used for the admin console.
- Attributes map[string]interface{}
A map of custom attributes to add to the realm.
- Browser
Flow string The desired flow for browser authentication. Defaults to
browser
.- Client
Authentication stringFlow The desired flow for client authentication. Defaults to
clients
.- Client
Session stringIdle Timeout The amount of time a session can be idle before it expires. Users can override it for individual clients.
- Client
Session stringMax Lifespan The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.
- Default
Default []stringClient Scopes - Default
Optional []stringClient Scopes - Default
Signature stringAlgorithm Default algorithm used to sign tokens for the realm.
- Direct
Grant stringFlow The desired flow for direct access authentication. Defaults to
direct grant
.- Display
Name string The display name for the realm that is shown when logging in to the admin console.
- Display
Name stringHtml The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
- Docker
Authentication stringFlow The desired flow for Docker authentication. Defaults to
docker auth
.- Duplicate
Emails boolAllowed When true, multiple users will be allowed to have the same email address. This argument must be set to
false
iflogin_with_email_allowed
is set totrue
.- Edit
Username boolAllowed When true, the username field is editable.
- Email
Theme string Used for emails that are sent by Keycloak.
- Enabled bool
When
false
, users and clients will not be able to access this realm. Defaults totrue
.- Internal
Id string When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name.
- Internationalization
Realm
Internationalization Args - Login
Theme string Used for the login, forgot password, and registration pages.
- Login
With boolEmail Allowed When true, users may log in with their email address.
- Oauth2Device
Code stringLifespan The maximum amount of time a client has to finish the device code flow before it expires.
The attributes below should be specified in seconds.
- Oauth2Device
Polling intInterval The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
- Offline
Session stringIdle Timeout The amount of time an offline session can be idle before it expires.
- Offline
Session stringMax Lifespan The maximum amount of time before an offline session expires regardless of activity.
- Offline
Session boolMax Lifespan Enabled Enable
offline_session_max_lifespan
.- Otp
Policy RealmOtp Policy Args - Password
Policy string The password policy for users within the realm.
The arguments below can be used to configure authentication flow bindings:
- Realm string
The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.
- Refresh
Token intMax Reuse Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.
The arguments below should be specified as Go duration strings. They will default to Keycloak's default settings.
- Registration
Allowed bool When true, user registration will be enabled, and a link for registration will be displayed on the login page.
- Registration
Email boolAs Username When true, the user's email will be used as their username during registration.
- Registration
Flow string The desired flow for user registration. Defaults to
registration
.- Remember
Me bool When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.
- Reset
Credentials stringFlow The desired flow to use when a user attempts to reset their credentials. Defaults to
reset credentials
.- Reset
Password boolAllowed When true, a "forgot password" link will be displayed on the login page.
- Revoke
Refresh boolToken If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.
- Security
Defenses RealmSecurity Defenses Args - Smtp
Server RealmSmtp Server Args - Ssl
Required string Can be one of following values: 'none, 'external' or 'all'
- Sso
Session stringIdle Timeout The amount of time a session can be idle before it expires.
- Sso
Session stringIdle Timeout Remember Me Similar to
sso_session_idle_timeout
, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value ofsso_session_idle_timeout
.- Sso
Session stringMax Lifespan The maximum amount of time before a session expires regardless of activity.
- Sso
Session stringMax Lifespan Remember Me Similar to
sso_session_max_lifespan
, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value ofsso_session_max_lifespan
.- User
Managed boolAccess When
true
, users are allowed to manage their own resources. Defaults tofalse
.- Verify
Email bool When true, users are required to verify their email address after registration and after email address changes.
- Web
Authn RealmPasswordless Policy Web Authn Passwordless Policy Args Configuration for WebAuthn Passwordless Policy authentication.
Each of these attributes are blocks with the following attributes:
- Web
Authn RealmPolicy Web Authn Policy Args Configuration for WebAuthn Policy authentication.
- access
Code StringLifespan The maximum amount of time a client has to finish the authorization code flow.
- access
Code StringLifespan Login The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
- access
Code StringLifespan User Action The maximum amount of time a user has to complete login related actions, such as updating a password.
- access
Token StringLifespan The amount of time an access token can be used before it expires.
- access
Token StringLifespan For Implicit Flow The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
- account
Theme String Used for account management pages.
- action
Token StringGenerated By Admin Lifespan The maximum time a user has to use an admin-generated permit before it expires.
- action
Token StringGenerated By User Lifespan The maximum time a user has to use a user-generated permit before it expires.
- admin
Theme String Used for the admin console.
- attributes Map<String,Object>
A map of custom attributes to add to the realm.
- browser
Flow String The desired flow for browser authentication. Defaults to
browser
.- client
Authentication StringFlow The desired flow for client authentication. Defaults to
clients
.- client
Session StringIdle Timeout The amount of time a session can be idle before it expires. Users can override it for individual clients.
- client
Session StringMax Lifespan The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.
- default
Default List<String>Client Scopes - default
Optional List<String>Client Scopes - default
Signature StringAlgorithm Default algorithm used to sign tokens for the realm.
- direct
Grant StringFlow The desired flow for direct access authentication. Defaults to
direct grant
.- display
Name String The display name for the realm that is shown when logging in to the admin console.
- display
Name StringHtml The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
- docker
Authentication StringFlow The desired flow for Docker authentication. Defaults to
docker auth
.- duplicate
Emails BooleanAllowed When true, multiple users will be allowed to have the same email address. This argument must be set to
false
iflogin_with_email_allowed
is set totrue
.- edit
Username BooleanAllowed When true, the username field is editable.
- email
Theme String Used for emails that are sent by Keycloak.
- enabled Boolean
When
false
, users and clients will not be able to access this realm. Defaults totrue
.- internal
Id String When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name.
- internationalization
Realm
Internationalization - login
Theme String Used for the login, forgot password, and registration pages.
- login
With BooleanEmail Allowed When true, users may log in with their email address.
- oauth2Device
Code StringLifespan The maximum amount of time a client has to finish the device code flow before it expires.
The attributes below should be specified in seconds.
- oauth2Device
Polling IntegerInterval The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
- offline
Session StringIdle Timeout The amount of time an offline session can be idle before it expires.
- offline
Session StringMax Lifespan The maximum amount of time before an offline session expires regardless of activity.
- offline
Session BooleanMax Lifespan Enabled Enable
offline_session_max_lifespan
.- otp
Policy RealmOtp Policy - password
Policy String The password policy for users within the realm.
The arguments below can be used to configure authentication flow bindings:
- realm String
The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.
- refresh
Token IntegerMax Reuse Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.
The arguments below should be specified as Go duration strings. They will default to Keycloak's default settings.
- registration
Allowed Boolean When true, user registration will be enabled, and a link for registration will be displayed on the login page.
- registration
Email BooleanAs Username When true, the user's email will be used as their username during registration.
- registration
Flow String The desired flow for user registration. Defaults to
registration
.- remember
Me Boolean When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.
- reset
Credentials StringFlow The desired flow to use when a user attempts to reset their credentials. Defaults to
reset credentials
.- reset
Password BooleanAllowed When true, a "forgot password" link will be displayed on the login page.
- revoke
Refresh BooleanToken If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.
- security
Defenses RealmSecurity Defenses - smtp
Server RealmSmtp Server - ssl
Required String Can be one of following values: 'none, 'external' or 'all'
- sso
Session StringIdle Timeout The amount of time a session can be idle before it expires.
- sso
Session StringIdle Timeout Remember Me Similar to
sso_session_idle_timeout
, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value ofsso_session_idle_timeout
.- sso
Session StringMax Lifespan The maximum amount of time before a session expires regardless of activity.
- sso
Session StringMax Lifespan Remember Me Similar to
sso_session_max_lifespan
, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value ofsso_session_max_lifespan
.- user
Managed BooleanAccess When
true
, users are allowed to manage their own resources. Defaults tofalse
.- verify
Email Boolean When true, users are required to verify their email address after registration and after email address changes.
- web
Authn RealmPasswordless Policy Web Authn Passwordless Policy Configuration for WebAuthn Passwordless Policy authentication.
Each of these attributes are blocks with the following attributes:
- web
Authn RealmPolicy Web Authn Policy Configuration for WebAuthn Policy authentication.
- access
Code stringLifespan The maximum amount of time a client has to finish the authorization code flow.
- access
Code stringLifespan Login The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
- access
Code stringLifespan User Action The maximum amount of time a user has to complete login related actions, such as updating a password.
- access
Token stringLifespan The amount of time an access token can be used before it expires.
- access
Token stringLifespan For Implicit Flow The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
- account
Theme string Used for account management pages.
- action
Token stringGenerated By Admin Lifespan The maximum time a user has to use an admin-generated permit before it expires.
- action
Token stringGenerated By User Lifespan The maximum time a user has to use a user-generated permit before it expires.
- admin
Theme string Used for the admin console.
- attributes {[key: string]: any}
A map of custom attributes to add to the realm.
- browser
Flow string The desired flow for browser authentication. Defaults to
browser
.- client
Authentication stringFlow The desired flow for client authentication. Defaults to
clients
.- client
Session stringIdle Timeout The amount of time a session can be idle before it expires. Users can override it for individual clients.
- client
Session stringMax Lifespan The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.
- default
Default string[]Client Scopes - default
Optional string[]Client Scopes - default
Signature stringAlgorithm Default algorithm used to sign tokens for the realm.
- direct
Grant stringFlow The desired flow for direct access authentication. Defaults to
direct grant
.- display
Name string The display name for the realm that is shown when logging in to the admin console.
- display
Name stringHtml The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
- docker
Authentication stringFlow The desired flow for Docker authentication. Defaults to
docker auth
.- duplicate
Emails booleanAllowed When true, multiple users will be allowed to have the same email address. This argument must be set to
false
iflogin_with_email_allowed
is set totrue
.- edit
Username booleanAllowed When true, the username field is editable.
- email
Theme string Used for emails that are sent by Keycloak.
- enabled boolean
When
false
, users and clients will not be able to access this realm. Defaults totrue
.- internal
Id string When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name.
- internationalization
Realm
Internationalization - login
Theme string Used for the login, forgot password, and registration pages.
- login
With booleanEmail Allowed When true, users may log in with their email address.
- oauth2Device
Code stringLifespan The maximum amount of time a client has to finish the device code flow before it expires.
The attributes below should be specified in seconds.
- oauth2Device
Polling numberInterval The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
- offline
Session stringIdle Timeout The amount of time an offline session can be idle before it expires.
- offline
Session stringMax Lifespan The maximum amount of time before an offline session expires regardless of activity.
- offline
Session booleanMax Lifespan Enabled Enable
offline_session_max_lifespan
.- otp
Policy RealmOtp Policy - password
Policy string The password policy for users within the realm.
The arguments below can be used to configure authentication flow bindings:
- realm string
The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.
- refresh
Token numberMax Reuse Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.
The arguments below should be specified as Go duration strings. They will default to Keycloak's default settings.
- registration
Allowed boolean When true, user registration will be enabled, and a link for registration will be displayed on the login page.
- registration
Email booleanAs Username When true, the user's email will be used as their username during registration.
- registration
Flow string The desired flow for user registration. Defaults to
registration
.- remember
Me boolean When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.
- reset
Credentials stringFlow The desired flow to use when a user attempts to reset their credentials. Defaults to
reset credentials
.- reset
Password booleanAllowed When true, a "forgot password" link will be displayed on the login page.
- revoke
Refresh booleanToken If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.
- security
Defenses RealmSecurity Defenses - smtp
Server RealmSmtp Server - ssl
Required string Can be one of following values: 'none, 'external' or 'all'
- sso
Session stringIdle Timeout The amount of time a session can be idle before it expires.
- sso
Session stringIdle Timeout Remember Me Similar to
sso_session_idle_timeout
, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value ofsso_session_idle_timeout
.- sso
Session stringMax Lifespan The maximum amount of time before a session expires regardless of activity.
- sso
Session stringMax Lifespan Remember Me Similar to
sso_session_max_lifespan
, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value ofsso_session_max_lifespan
.- user
Managed booleanAccess When
true
, users are allowed to manage their own resources. Defaults tofalse
.- verify
Email boolean When true, users are required to verify their email address after registration and after email address changes.
- web
Authn RealmPasswordless Policy Web Authn Passwordless Policy Configuration for WebAuthn Passwordless Policy authentication.
Each of these attributes are blocks with the following attributes:
- web
Authn RealmPolicy Web Authn Policy Configuration for WebAuthn Policy authentication.
- access_
code_ strlifespan The maximum amount of time a client has to finish the authorization code flow.
- access_
code_ strlifespan_ login The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
- access_
code_ strlifespan_ user_ action The maximum amount of time a user has to complete login related actions, such as updating a password.
- access_
token_ strlifespan The amount of time an access token can be used before it expires.
- access_
token_ strlifespan_ for_ implicit_ flow The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
- account_
theme str Used for account management pages.
- action_
token_ strgenerated_ by_ admin_ lifespan The maximum time a user has to use an admin-generated permit before it expires.
- action_
token_ strgenerated_ by_ user_ lifespan The maximum time a user has to use a user-generated permit before it expires.
- admin_
theme str Used for the admin console.
- attributes Mapping[str, Any]
A map of custom attributes to add to the realm.
- browser_
flow str The desired flow for browser authentication. Defaults to
browser
.- client_
authentication_ strflow The desired flow for client authentication. Defaults to
clients
.- client_
session_ stridle_ timeout The amount of time a session can be idle before it expires. Users can override it for individual clients.
- client_
session_ strmax_ lifespan The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.
- default_
default_ Sequence[str]client_ scopes - default_
optional_ Sequence[str]client_ scopes - default_
signature_ stralgorithm Default algorithm used to sign tokens for the realm.
- direct_
grant_ strflow The desired flow for direct access authentication. Defaults to
direct grant
.- display_
name str The display name for the realm that is shown when logging in to the admin console.
- display_
name_ strhtml The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
- docker_
authentication_ strflow The desired flow for Docker authentication. Defaults to
docker auth
.- duplicate_
emails_ boolallowed When true, multiple users will be allowed to have the same email address. This argument must be set to
false
iflogin_with_email_allowed
is set totrue
.- edit_
username_ boolallowed When true, the username field is editable.
- email_
theme str Used for emails that are sent by Keycloak.
- enabled bool
When
false
, users and clients will not be able to access this realm. Defaults totrue
.- internal_
id str When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name.
- internationalization
Realm
Internationalization Args - login_
theme str Used for the login, forgot password, and registration pages.
- login_
with_ boolemail_ allowed When true, users may log in with their email address.
- oauth2_
device_ strcode_ lifespan The maximum amount of time a client has to finish the device code flow before it expires.
The attributes below should be specified in seconds.
- oauth2_
device_ intpolling_ interval The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
- offline_
session_ stridle_ timeout The amount of time an offline session can be idle before it expires.
- offline_
session_ strmax_ lifespan The maximum amount of time before an offline session expires regardless of activity.
- offline_
session_ boolmax_ lifespan_ enabled Enable
offline_session_max_lifespan
.- otp_
policy RealmOtp Policy Args - password_
policy str The password policy for users within the realm.
The arguments below can be used to configure authentication flow bindings:
- realm str
The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.
- refresh_
token_ intmax_ reuse Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.
The arguments below should be specified as Go duration strings. They will default to Keycloak's default settings.
- registration_
allowed bool When true, user registration will be enabled, and a link for registration will be displayed on the login page.
- registration_
email_ boolas_ username When true, the user's email will be used as their username during registration.
- registration_
flow str The desired flow for user registration. Defaults to
registration
.- remember_
me bool When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.
- reset_
credentials_ strflow The desired flow to use when a user attempts to reset their credentials. Defaults to
reset credentials
.- reset_
password_ boolallowed When true, a "forgot password" link will be displayed on the login page.
- revoke_
refresh_ booltoken If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.
- security_
defenses RealmSecurity Defenses Args - smtp_
server RealmSmtp Server Args - ssl_
required str Can be one of following values: 'none, 'external' or 'all'
- sso_
session_ stridle_ timeout The amount of time a session can be idle before it expires.
- sso_
session_ stridle_ timeout_ remember_ me Similar to
sso_session_idle_timeout
, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value ofsso_session_idle_timeout
.- sso_
session_ strmax_ lifespan The maximum amount of time before a session expires regardless of activity.
- sso_
session_ strmax_ lifespan_ remember_ me Similar to
sso_session_max_lifespan
, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value ofsso_session_max_lifespan
.- user_
managed_ boolaccess When
true
, users are allowed to manage their own resources. Defaults tofalse
.- verify_
email bool When true, users are required to verify their email address after registration and after email address changes.
- web_
authn_ Realmpasswordless_ policy Web Authn Passwordless Policy Args Configuration for WebAuthn Passwordless Policy authentication.
Each of these attributes are blocks with the following attributes:
- web_
authn_ Realmpolicy Web Authn Policy Args Configuration for WebAuthn Policy authentication.
- access
Code StringLifespan The maximum amount of time a client has to finish the authorization code flow.
- access
Code StringLifespan Login The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
- access
Code StringLifespan User Action The maximum amount of time a user has to complete login related actions, such as updating a password.
- access
Token StringLifespan The amount of time an access token can be used before it expires.
- access
Token StringLifespan For Implicit Flow The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
- account
Theme String Used for account management pages.
- action
Token StringGenerated By Admin Lifespan The maximum time a user has to use an admin-generated permit before it expires.
- action
Token StringGenerated By User Lifespan The maximum time a user has to use a user-generated permit before it expires.
- admin
Theme String Used for the admin console.
- attributes Map<Any>
A map of custom attributes to add to the realm.
- browser
Flow String The desired flow for browser authentication. Defaults to
browser
.- client
Authentication StringFlow The desired flow for client authentication. Defaults to
clients
.- client
Session StringIdle Timeout The amount of time a session can be idle before it expires. Users can override it for individual clients.
- client
Session StringMax Lifespan The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.
- default
Default List<String>Client Scopes - default
Optional List<String>Client Scopes - default
Signature StringAlgorithm Default algorithm used to sign tokens for the realm.
- direct
Grant StringFlow The desired flow for direct access authentication. Defaults to
direct grant
.- display
Name String The display name for the realm that is shown when logging in to the admin console.
- display
Name StringHtml The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
- docker
Authentication StringFlow The desired flow for Docker authentication. Defaults to
docker auth
.- duplicate
Emails BooleanAllowed When true, multiple users will be allowed to have the same email address. This argument must be set to
false
iflogin_with_email_allowed
is set totrue
.- edit
Username BooleanAllowed When true, the username field is editable.
- email
Theme String Used for emails that are sent by Keycloak.
- enabled Boolean
When
false
, users and clients will not be able to access this realm. Defaults totrue
.- internal
Id String When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name.
- internationalization Property Map
- login
Theme String Used for the login, forgot password, and registration pages.
- login
With BooleanEmail Allowed When true, users may log in with their email address.
- oauth2Device
Code StringLifespan The maximum amount of time a client has to finish the device code flow before it expires.
The attributes below should be specified in seconds.
- oauth2Device
Polling NumberInterval The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
- offline
Session StringIdle Timeout The amount of time an offline session can be idle before it expires.
- offline
Session StringMax Lifespan The maximum amount of time before an offline session expires regardless of activity.
- offline
Session BooleanMax Lifespan Enabled Enable
offline_session_max_lifespan
.- otp
Policy Property Map - password
Policy String The password policy for users within the realm.
The arguments below can be used to configure authentication flow bindings:
- realm String
The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.
- refresh
Token NumberMax Reuse Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.
The arguments below should be specified as Go duration strings. They will default to Keycloak's default settings.
- registration
Allowed Boolean When true, user registration will be enabled, and a link for registration will be displayed on the login page.
- registration
Email BooleanAs Username When true, the user's email will be used as their username during registration.
- registration
Flow String The desired flow for user registration. Defaults to
registration
.- remember
Me Boolean When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.
- reset
Credentials StringFlow The desired flow to use when a user attempts to reset their credentials. Defaults to
reset credentials
.- reset
Password BooleanAllowed When true, a "forgot password" link will be displayed on the login page.
- revoke
Refresh BooleanToken If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.
- security
Defenses Property Map - smtp
Server Property Map - ssl
Required String Can be one of following values: 'none, 'external' or 'all'
- sso
Session StringIdle Timeout The amount of time a session can be idle before it expires.
- sso
Session StringIdle Timeout Remember Me Similar to
sso_session_idle_timeout
, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value ofsso_session_idle_timeout
.- sso
Session StringMax Lifespan The maximum amount of time before a session expires regardless of activity.
- sso
Session StringMax Lifespan Remember Me Similar to
sso_session_max_lifespan
, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value ofsso_session_max_lifespan
.- user
Managed BooleanAccess When
true
, users are allowed to manage their own resources. Defaults tofalse
.- verify
Email Boolean When true, users are required to verify their email address after registration and after email address changes.
- web
Authn Property MapPasswordless Policy Configuration for WebAuthn Passwordless Policy authentication.
Each of these attributes are blocks with the following attributes:
- web
Authn Property MapPolicy Configuration for WebAuthn Policy authentication.
Supporting Types
RealmInternationalization, RealmInternationalizationArgs
- Default
Locale string The locale to use by default. This locale code must be present within the
supported_locales
list.- Supported
Locales List<string> A list of ISO 639-1 locale codes that the realm should support.
- Default
Locale string The locale to use by default. This locale code must be present within the
supported_locales
list.- Supported
Locales []string A list of ISO 639-1 locale codes that the realm should support.
- default
Locale String The locale to use by default. This locale code must be present within the
supported_locales
list.- supported
Locales List<String> A list of ISO 639-1 locale codes that the realm should support.
- default
Locale string The locale to use by default. This locale code must be present within the
supported_locales
list.- supported
Locales string[] A list of ISO 639-1 locale codes that the realm should support.
- default_
locale str The locale to use by default. This locale code must be present within the
supported_locales
list.- supported_
locales Sequence[str] A list of ISO 639-1 locale codes that the realm should support.
- default
Locale String The locale to use by default. This locale code must be present within the
supported_locales
list.- supported
Locales List<String> A list of ISO 639-1 locale codes that the realm should support.
RealmOtpPolicy, RealmOtpPolicyArgs
- Algorithm string
What hashing algorithm should be used to generate the OTP, Valid options are
HmacSHA1
,HmacSHA256
andHmacSHA512
. Defaults toHmacSHA1
.- Digits int
How many digits the OTP have. Defaults to
6
.- Initial
Counter int What should the initial counter value be. Defaults to
2
.- Look
Ahead intWindow How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to
1
.- Period int
How many seconds should an OTP token be valid. Defaults to
30
.- Type string
One Time Password Type, supported Values are
totp
for Time-Based One Time Password andhotp
for Counter Based. Defaults tototp
.
- Algorithm string
What hashing algorithm should be used to generate the OTP, Valid options are
HmacSHA1
,HmacSHA256
andHmacSHA512
. Defaults toHmacSHA1
.- Digits int
How many digits the OTP have. Defaults to
6
.- Initial
Counter int What should the initial counter value be. Defaults to
2
.- Look
Ahead intWindow How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to
1
.- Period int
How many seconds should an OTP token be valid. Defaults to
30
.- Type string
One Time Password Type, supported Values are
totp
for Time-Based One Time Password andhotp
for Counter Based. Defaults tototp
.
- algorithm String
What hashing algorithm should be used to generate the OTP, Valid options are
HmacSHA1
,HmacSHA256
andHmacSHA512
. Defaults toHmacSHA1
.- digits Integer
How many digits the OTP have. Defaults to
6
.- initial
Counter Integer What should the initial counter value be. Defaults to
2
.- look
Ahead IntegerWindow How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to
1
.- period Integer
How many seconds should an OTP token be valid. Defaults to
30
.- type String
One Time Password Type, supported Values are
totp
for Time-Based One Time Password andhotp
for Counter Based. Defaults tototp
.
- algorithm string
What hashing algorithm should be used to generate the OTP, Valid options are
HmacSHA1
,HmacSHA256
andHmacSHA512
. Defaults toHmacSHA1
.- digits number
How many digits the OTP have. Defaults to
6
.- initial
Counter number What should the initial counter value be. Defaults to
2
.- look
Ahead numberWindow How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to
1
.- period number
How many seconds should an OTP token be valid. Defaults to
30
.- type string
One Time Password Type, supported Values are
totp
for Time-Based One Time Password andhotp
for Counter Based. Defaults tototp
.
- algorithm str
What hashing algorithm should be used to generate the OTP, Valid options are
HmacSHA1
,HmacSHA256
andHmacSHA512
. Defaults toHmacSHA1
.- digits int
How many digits the OTP have. Defaults to
6
.- initial_
counter int What should the initial counter value be. Defaults to
2
.- look_
ahead_ intwindow How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to
1
.- period int
How many seconds should an OTP token be valid. Defaults to
30
.- type str
One Time Password Type, supported Values are
totp
for Time-Based One Time Password andhotp
for Counter Based. Defaults tototp
.
- algorithm String
What hashing algorithm should be used to generate the OTP, Valid options are
HmacSHA1
,HmacSHA256
andHmacSHA512
. Defaults toHmacSHA1
.- digits Number
How many digits the OTP have. Defaults to
6
.- initial
Counter Number What should the initial counter value be. Defaults to
2
.- look
Ahead NumberWindow How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to
1
.- period Number
How many seconds should an OTP token be valid. Defaults to
30
.- type String
One Time Password Type, supported Values are
totp
for Time-Based One Time Password andhotp
for Counter Based. Defaults tototp
.
RealmSecurityDefenses, RealmSecurityDefensesArgs
RealmSecurityDefensesBruteForceDetection, RealmSecurityDefensesBruteForceDetectionArgs
- Failure
Reset intTime Seconds When will failure count be reset?
- Max
Failure intWait Seconds - Max
Login intFailures How many failures before wait is triggered.
- Minimum
Quick intLogin Wait Seconds How long to wait after a quick login failure.
max_failure_wait_seconds
- (Optional) Max. time a user will be locked out.
- Permanent
Lockout bool When
true
, this will lock the user permanently when the user exceeds the maximum login failures.- Quick
Login intCheck Milli Seconds Configures the amount of time, in milliseconds, for consecutive failures to lock a user out.
- Wait
Increment intSeconds This represents the amount of time a user should be locked out when the login failure threshold has been met.
- Failure
Reset intTime Seconds When will failure count be reset?
- Max
Failure intWait Seconds - Max
Login intFailures How many failures before wait is triggered.
- Minimum
Quick intLogin Wait Seconds How long to wait after a quick login failure.
max_failure_wait_seconds
- (Optional) Max. time a user will be locked out.
- Permanent
Lockout bool When
true
, this will lock the user permanently when the user exceeds the maximum login failures.- Quick
Login intCheck Milli Seconds Configures the amount of time, in milliseconds, for consecutive failures to lock a user out.
- Wait
Increment intSeconds This represents the amount of time a user should be locked out when the login failure threshold has been met.
- failure
Reset IntegerTime Seconds When will failure count be reset?
- max
Failure IntegerWait Seconds - max
Login IntegerFailures How many failures before wait is triggered.
- minimum
Quick IntegerLogin Wait Seconds How long to wait after a quick login failure.
max_failure_wait_seconds
- (Optional) Max. time a user will be locked out.
- permanent
Lockout Boolean When
true
, this will lock the user permanently when the user exceeds the maximum login failures.- quick
Login IntegerCheck Milli Seconds Configures the amount of time, in milliseconds, for consecutive failures to lock a user out.
- wait
Increment IntegerSeconds This represents the amount of time a user should be locked out when the login failure threshold has been met.
- failure
Reset numberTime Seconds When will failure count be reset?
- max
Failure numberWait Seconds - max
Login numberFailures How many failures before wait is triggered.
- minimum
Quick numberLogin Wait Seconds How long to wait after a quick login failure.
max_failure_wait_seconds
- (Optional) Max. time a user will be locked out.
- permanent
Lockout boolean When
true
, this will lock the user permanently when the user exceeds the maximum login failures.- quick
Login numberCheck Milli Seconds Configures the amount of time, in milliseconds, for consecutive failures to lock a user out.
- wait
Increment numberSeconds This represents the amount of time a user should be locked out when the login failure threshold has been met.
- failure_
reset_ inttime_ seconds When will failure count be reset?
- max_
failure_ intwait_ seconds - max_
login_ intfailures How many failures before wait is triggered.
- minimum_
quick_ intlogin_ wait_ seconds How long to wait after a quick login failure.
max_failure_wait_seconds
- (Optional) Max. time a user will be locked out.
- permanent_
lockout bool When
true
, this will lock the user permanently when the user exceeds the maximum login failures.- quick_
login_ intcheck_ milli_ seconds Configures the amount of time, in milliseconds, for consecutive failures to lock a user out.
- wait_
increment_ intseconds This represents the amount of time a user should be locked out when the login failure threshold has been met.
- failure
Reset NumberTime Seconds When will failure count be reset?
- max
Failure NumberWait Seconds - max
Login NumberFailures How many failures before wait is triggered.
- minimum
Quick NumberLogin Wait Seconds How long to wait after a quick login failure.
max_failure_wait_seconds
- (Optional) Max. time a user will be locked out.
- permanent
Lockout Boolean When
true
, this will lock the user permanently when the user exceeds the maximum login failures.- quick
Login NumberCheck Milli Seconds Configures the amount of time, in milliseconds, for consecutive failures to lock a user out.
- wait
Increment NumberSeconds This represents the amount of time a user should be locked out when the login failure threshold has been met.
RealmSecurityDefensesHeaders, RealmSecurityDefensesHeadersArgs
- Content
Security stringPolicy Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the W3C-CSP Abstract.
- Content
Security stringPolicy Report Only Used for testing Content Security Policies.
- Strict
Transport stringSecurity The Script-Transport-Security HTTP header tells browsers to always use HTTPS.
- XContent
Type stringOptions Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type
- XFrame
Options string Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the RFC7034
- XRobots
Tag string Prevent pages from appearing in search engines.
- XXss
Protection string This header configures the Cross-site scripting (XSS) filter in your browser.
- Content
Security stringPolicy Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the W3C-CSP Abstract.
- Content
Security stringPolicy Report Only Used for testing Content Security Policies.
- Strict
Transport stringSecurity The Script-Transport-Security HTTP header tells browsers to always use HTTPS.
- XContent
Type stringOptions Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type
- XFrame
Options string Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the RFC7034
- XRobots
Tag string Prevent pages from appearing in search engines.
- XXss
Protection string This header configures the Cross-site scripting (XSS) filter in your browser.
- content
Security StringPolicy Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the W3C-CSP Abstract.
- content
Security StringPolicy Report Only Used for testing Content Security Policies.
- strict
Transport StringSecurity The Script-Transport-Security HTTP header tells browsers to always use HTTPS.
- x
Content StringType Options Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type
- x
Frame StringOptions Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the RFC7034
- x
Robots StringTag Prevent pages from appearing in search engines.
- x
Xss StringProtection This header configures the Cross-site scripting (XSS) filter in your browser.
- content
Security stringPolicy Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the W3C-CSP Abstract.
- content
Security stringPolicy Report Only Used for testing Content Security Policies.
- strict
Transport stringSecurity The Script-Transport-Security HTTP header tells browsers to always use HTTPS.
- x
Content stringType Options Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type
- x
Frame stringOptions Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the RFC7034
- x
Robots stringTag Prevent pages from appearing in search engines.
- x
Xss stringProtection This header configures the Cross-site scripting (XSS) filter in your browser.
- content_
security_ strpolicy Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the W3C-CSP Abstract.
- content_
security_ strpolicy_ report_ only Used for testing Content Security Policies.
- strict_
transport_ strsecurity The Script-Transport-Security HTTP header tells browsers to always use HTTPS.
- x_
content_ strtype_ options Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type
- x_
frame_ stroptions Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the RFC7034
- x_
robots_ strtag Prevent pages from appearing in search engines.
- x_
xss_ strprotection This header configures the Cross-site scripting (XSS) filter in your browser.
- content
Security StringPolicy Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the W3C-CSP Abstract.
- content
Security StringPolicy Report Only Used for testing Content Security Policies.
- strict
Transport StringSecurity The Script-Transport-Security HTTP header tells browsers to always use HTTPS.
- x
Content StringType Options Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type
- x
Frame StringOptions Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the RFC7034
- x
Robots StringTag Prevent pages from appearing in search engines.
- x
Xss StringProtection This header configures the Cross-site scripting (XSS) filter in your browser.
RealmSmtpServer, RealmSmtpServerArgs
- From string
The email address for the sender.
- Host string
The host of the SMTP server.
- Auth
Realm
Smtp Server Auth Enables authentication to the SMTP server. This block supports the following arguments:
- Envelope
From string The email address uses for bounces.
- From
Display stringName The display name of the sender email address.
- Port string
The port of the SMTP server (defaults to 25).
- Reply
To string The "reply to" email address.
- Reply
To stringDisplay Name The display name of the "reply to" email address.
- Ssl bool
When
true
, enables SSL. Defaults tofalse
.- Starttls bool
When
true
, enables StartTLS. Defaults tofalse
.
- From string
The email address for the sender.
- Host string
The host of the SMTP server.
- Auth
Realm
Smtp Server Auth Enables authentication to the SMTP server. This block supports the following arguments:
- Envelope
From string The email address uses for bounces.
- From
Display stringName The display name of the sender email address.
- Port string
The port of the SMTP server (defaults to 25).
- Reply
To string The "reply to" email address.
- Reply
To stringDisplay Name The display name of the "reply to" email address.
- Ssl bool
When
true
, enables SSL. Defaults tofalse
.- Starttls bool
When
true
, enables StartTLS. Defaults tofalse
.
- from String
The email address for the sender.
- host String
The host of the SMTP server.
- auth
Realm
Smtp Server Auth Enables authentication to the SMTP server. This block supports the following arguments:
- envelope
From String The email address uses for bounces.
- from
Display StringName The display name of the sender email address.
- port String
The port of the SMTP server (defaults to 25).
- reply
To String The "reply to" email address.
- reply
To StringDisplay Name The display name of the "reply to" email address.
- ssl Boolean
When
true
, enables SSL. Defaults tofalse
.- starttls Boolean
When
true
, enables StartTLS. Defaults tofalse
.
- from string
The email address for the sender.
- host string
The host of the SMTP server.
- auth
Realm
Smtp Server Auth Enables authentication to the SMTP server. This block supports the following arguments:
- envelope
From string The email address uses for bounces.
- from
Display stringName The display name of the sender email address.
- port string
The port of the SMTP server (defaults to 25).
- reply
To string The "reply to" email address.
- reply
To stringDisplay Name The display name of the "reply to" email address.
- ssl boolean
When
true
, enables SSL. Defaults tofalse
.- starttls boolean
When
true
, enables StartTLS. Defaults tofalse
.
- from_ str
The email address for the sender.
- host str
The host of the SMTP server.
- auth
Realm
Smtp Server Auth Enables authentication to the SMTP server. This block supports the following arguments:
- envelope_
from str The email address uses for bounces.
- from_
display_ strname The display name of the sender email address.
- port str
The port of the SMTP server (defaults to 25).
- reply_
to str The "reply to" email address.
- reply_
to_ strdisplay_ name The display name of the "reply to" email address.
- ssl bool
When
true
, enables SSL. Defaults tofalse
.- starttls bool
When
true
, enables StartTLS. Defaults tofalse
.
- from String
The email address for the sender.
- host String
The host of the SMTP server.
- auth Property Map
Enables authentication to the SMTP server. This block supports the following arguments:
- envelope
From String The email address uses for bounces.
- from
Display StringName The display name of the sender email address.
- port String
The port of the SMTP server (defaults to 25).
- reply
To String The "reply to" email address.
- reply
To StringDisplay Name The display name of the "reply to" email address.
- ssl Boolean
When
true
, enables SSL. Defaults tofalse
.- starttls Boolean
When
true
, enables StartTLS. Defaults tofalse
.
RealmSmtpServerAuth, RealmSmtpServerAuthArgs
RealmWebAuthnPasswordlessPolicy, RealmWebAuthnPasswordlessPolicyArgs
- Acceptable
Aaguids List<string> A set of AAGUIDs for which an authenticator can be registered.
- Attestation
Conveyance stringPreference The preference of how to generate a WebAuthn attestation statement. Valid options are
not specified
,none
,indirect
,direct
, orenterprise
. Defaults tonot specified
.- Authenticator
Attachment string The acceptable attachment pattern for the WebAuthn authenticator. Valid options are
not specified
,platform
, orcross-platform
. Defaults tonot specified
.- Avoid
Same boolAuthenticator Register When
true
, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults tofalse
.- Create
Timeout int The timeout value for creating a user's public key credential in seconds. When set to
0
, this timeout option is not adapted. Defaults to0
.- Relying
Party stringEntity Name A human readable server name for the WebAuthn Relying Party. Defaults to
keycloak
.- Relying
Party stringId The WebAuthn relying party ID.
- Require
Resident stringKey Specifies whether or not a public key should be created to represent the resident key. Valid options are
not specified
,Yes
, orNo
. Defaults tonot specified
.- Signature
Algorithms List<string> A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are
ES256
,ES384
,ES512
,RS256
,RS384
,RS512
, andRS1
.- User
Verification stringRequirement Specifies the policy for verifying a user logging in via WebAuthn. Valid options are
not specified
,required
,preferred
, ordiscouraged
. Defaults tonot specified
.
- Acceptable
Aaguids []string A set of AAGUIDs for which an authenticator can be registered.
- Attestation
Conveyance stringPreference The preference of how to generate a WebAuthn attestation statement. Valid options are
not specified
,none
,indirect
,direct
, orenterprise
. Defaults tonot specified
.- Authenticator
Attachment string The acceptable attachment pattern for the WebAuthn authenticator. Valid options are
not specified
,platform
, orcross-platform
. Defaults tonot specified
.- Avoid
Same boolAuthenticator Register When
true
, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults tofalse
.- Create
Timeout int The timeout value for creating a user's public key credential in seconds. When set to
0
, this timeout option is not adapted. Defaults to0
.- Relying
Party stringEntity Name A human readable server name for the WebAuthn Relying Party. Defaults to
keycloak
.- Relying
Party stringId The WebAuthn relying party ID.
- Require
Resident stringKey Specifies whether or not a public key should be created to represent the resident key. Valid options are
not specified
,Yes
, orNo
. Defaults tonot specified
.- Signature
Algorithms []string A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are
ES256
,ES384
,ES512
,RS256
,RS384
,RS512
, andRS1
.- User
Verification stringRequirement Specifies the policy for verifying a user logging in via WebAuthn. Valid options are
not specified
,required
,preferred
, ordiscouraged
. Defaults tonot specified
.
- acceptable
Aaguids List<String> A set of AAGUIDs for which an authenticator can be registered.
- attestation
Conveyance StringPreference The preference of how to generate a WebAuthn attestation statement. Valid options are
not specified
,none
,indirect
,direct
, orenterprise
. Defaults tonot specified
.- authenticator
Attachment String The acceptable attachment pattern for the WebAuthn authenticator. Valid options are
not specified
,platform
, orcross-platform
. Defaults tonot specified
.- avoid
Same BooleanAuthenticator Register When
true
, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults tofalse
.- create
Timeout Integer The timeout value for creating a user's public key credential in seconds. When set to
0
, this timeout option is not adapted. Defaults to0
.- relying
Party StringEntity Name A human readable server name for the WebAuthn Relying Party. Defaults to
keycloak
.- relying
Party StringId The WebAuthn relying party ID.
- require
Resident StringKey Specifies whether or not a public key should be created to represent the resident key. Valid options are
not specified
,Yes
, orNo
. Defaults tonot specified
.- signature
Algorithms List<String> A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are
ES256
,ES384
,ES512
,RS256
,RS384
,RS512
, andRS1
.- user
Verification StringRequirement Specifies the policy for verifying a user logging in via WebAuthn. Valid options are
not specified
,required
,preferred
, ordiscouraged
. Defaults tonot specified
.
- acceptable
Aaguids string[] A set of AAGUIDs for which an authenticator can be registered.
- attestation
Conveyance stringPreference The preference of how to generate a WebAuthn attestation statement. Valid options are
not specified
,none
,indirect
,direct
, orenterprise
. Defaults tonot specified
.- authenticator
Attachment string The acceptable attachment pattern for the WebAuthn authenticator. Valid options are
not specified
,platform
, orcross-platform
. Defaults tonot specified
.- avoid
Same booleanAuthenticator Register When
true
, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults tofalse
.- create
Timeout number The timeout value for creating a user's public key credential in seconds. When set to
0
, this timeout option is not adapted. Defaults to0
.- relying
Party stringEntity Name A human readable server name for the WebAuthn Relying Party. Defaults to
keycloak
.- relying
Party stringId The WebAuthn relying party ID.
- require
Resident stringKey Specifies whether or not a public key should be created to represent the resident key. Valid options are
not specified
,Yes
, orNo
. Defaults tonot specified
.- signature
Algorithms string[] A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are
ES256
,ES384
,ES512
,RS256
,RS384
,RS512
, andRS1
.- user
Verification stringRequirement Specifies the policy for verifying a user logging in via WebAuthn. Valid options are
not specified
,required
,preferred
, ordiscouraged
. Defaults tonot specified
.
- acceptable_
aaguids Sequence[str] A set of AAGUIDs for which an authenticator can be registered.
- attestation_
conveyance_ strpreference The preference of how to generate a WebAuthn attestation statement. Valid options are
not specified
,none
,indirect
,direct
, orenterprise
. Defaults tonot specified
.- authenticator_
attachment str The acceptable attachment pattern for the WebAuthn authenticator. Valid options are
not specified
,platform
, orcross-platform
. Defaults tonot specified
.- avoid_
same_ boolauthenticator_ register When
true
, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults tofalse
.- create_
timeout int The timeout value for creating a user's public key credential in seconds. When set to
0
, this timeout option is not adapted. Defaults to0
.- relying_
party_ strentity_ name A human readable server name for the WebAuthn Relying Party. Defaults to
keycloak
.- relying_
party_ strid The WebAuthn relying party ID.
- require_
resident_ strkey Specifies whether or not a public key should be created to represent the resident key. Valid options are
not specified
,Yes
, orNo
. Defaults tonot specified
.- signature_
algorithms Sequence[str] A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are
ES256
,ES384
,ES512
,RS256
,RS384
,RS512
, andRS1
.- user_
verification_ strrequirement Specifies the policy for verifying a user logging in via WebAuthn. Valid options are
not specified
,required
,preferred
, ordiscouraged
. Defaults tonot specified
.
- acceptable
Aaguids List<String> A set of AAGUIDs for which an authenticator can be registered.
- attestation
Conveyance StringPreference The preference of how to generate a WebAuthn attestation statement. Valid options are
not specified
,none
,indirect
,direct
, orenterprise
. Defaults tonot specified
.- authenticator
Attachment String The acceptable attachment pattern for the WebAuthn authenticator. Valid options are
not specified
,platform
, orcross-platform
. Defaults tonot specified
.- avoid
Same BooleanAuthenticator Register When
true
, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults tofalse
.- create
Timeout Number The timeout value for creating a user's public key credential in seconds. When set to
0
, this timeout option is not adapted. Defaults to0
.- relying
Party StringEntity Name A human readable server name for the WebAuthn Relying Party. Defaults to
keycloak
.- relying
Party StringId The WebAuthn relying party ID.
- require
Resident StringKey Specifies whether or not a public key should be created to represent the resident key. Valid options are
not specified
,Yes
, orNo
. Defaults tonot specified
.- signature
Algorithms List<String> A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are
ES256
,ES384
,ES512
,RS256
,RS384
,RS512
, andRS1
.- user
Verification StringRequirement Specifies the policy for verifying a user logging in via WebAuthn. Valid options are
not specified
,required
,preferred
, ordiscouraged
. Defaults tonot specified
.
RealmWebAuthnPolicy, RealmWebAuthnPolicyArgs
- Acceptable
Aaguids List<string> A set of AAGUIDs for which an authenticator can be registered.
- Attestation
Conveyance stringPreference The preference of how to generate a WebAuthn attestation statement. Valid options are
not specified
,none
,indirect
,direct
, orenterprise
. Defaults tonot specified
.- Authenticator
Attachment string The acceptable attachment pattern for the WebAuthn authenticator. Valid options are
not specified
,platform
, orcross-platform
. Defaults tonot specified
.- Avoid
Same boolAuthenticator Register When
true
, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults tofalse
.- Create
Timeout int The timeout value for creating a user's public key credential in seconds. When set to
0
, this timeout option is not adapted. Defaults to0
.- Relying
Party stringEntity Name A human readable server name for the WebAuthn Relying Party. Defaults to
keycloak
.- Relying
Party stringId The WebAuthn relying party ID.
- Require
Resident stringKey Specifies whether or not a public key should be created to represent the resident key. Valid options are
not specified
,Yes
, orNo
. Defaults tonot specified
.- Signature
Algorithms List<string> A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are
ES256
,ES384
,ES512
,RS256
,RS384
,RS512
, andRS1
.- User
Verification stringRequirement Specifies the policy for verifying a user logging in via WebAuthn. Valid options are
not specified
,required
,preferred
, ordiscouraged
. Defaults tonot specified
.
- Acceptable
Aaguids []string A set of AAGUIDs for which an authenticator can be registered.
- Attestation
Conveyance stringPreference The preference of how to generate a WebAuthn attestation statement. Valid options are
not specified
,none
,indirect
,direct
, orenterprise
. Defaults tonot specified
.- Authenticator
Attachment string The acceptable attachment pattern for the WebAuthn authenticator. Valid options are
not specified
,platform
, orcross-platform
. Defaults tonot specified
.- Avoid
Same boolAuthenticator Register When
true
, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults tofalse
.- Create
Timeout int The timeout value for creating a user's public key credential in seconds. When set to
0
, this timeout option is not adapted. Defaults to0
.- Relying
Party stringEntity Name A human readable server name for the WebAuthn Relying Party. Defaults to
keycloak
.- Relying
Party stringId The WebAuthn relying party ID.
- Require
Resident stringKey Specifies whether or not a public key should be created to represent the resident key. Valid options are
not specified
,Yes
, orNo
. Defaults tonot specified
.- Signature
Algorithms []string A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are
ES256
,ES384
,ES512
,RS256
,RS384
,RS512
, andRS1
.- User
Verification stringRequirement Specifies the policy for verifying a user logging in via WebAuthn. Valid options are
not specified
,required
,preferred
, ordiscouraged
. Defaults tonot specified
.
- acceptable
Aaguids List<String> A set of AAGUIDs for which an authenticator can be registered.
- attestation
Conveyance StringPreference The preference of how to generate a WebAuthn attestation statement. Valid options are
not specified
,none
,indirect
,direct
, orenterprise
. Defaults tonot specified
.- authenticator
Attachment String The acceptable attachment pattern for the WebAuthn authenticator. Valid options are
not specified
,platform
, orcross-platform
. Defaults tonot specified
.- avoid
Same BooleanAuthenticator Register When
true
, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults tofalse
.- create
Timeout Integer The timeout value for creating a user's public key credential in seconds. When set to
0
, this timeout option is not adapted. Defaults to0
.- relying
Party StringEntity Name A human readable server name for the WebAuthn Relying Party. Defaults to
keycloak
.- relying
Party StringId The WebAuthn relying party ID.
- require
Resident StringKey Specifies whether or not a public key should be created to represent the resident key. Valid options are
not specified
,Yes
, orNo
. Defaults tonot specified
.- signature
Algorithms List<String> A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are
ES256
,ES384
,ES512
,RS256
,RS384
,RS512
, andRS1
.- user
Verification StringRequirement Specifies the policy for verifying a user logging in via WebAuthn. Valid options are
not specified
,required
,preferred
, ordiscouraged
. Defaults tonot specified
.
- acceptable
Aaguids string[] A set of AAGUIDs for which an authenticator can be registered.
- attestation
Conveyance stringPreference The preference of how to generate a WebAuthn attestation statement. Valid options are
not specified
,none
,indirect
,direct
, orenterprise
. Defaults tonot specified
.- authenticator
Attachment string The acceptable attachment pattern for the WebAuthn authenticator. Valid options are
not specified
,platform
, orcross-platform
. Defaults tonot specified
.- avoid
Same booleanAuthenticator Register When
true
, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults tofalse
.- create
Timeout number The timeout value for creating a user's public key credential in seconds. When set to
0
, this timeout option is not adapted. Defaults to0
.- relying
Party stringEntity Name A human readable server name for the WebAuthn Relying Party. Defaults to
keycloak
.- relying
Party stringId The WebAuthn relying party ID.
- require
Resident stringKey Specifies whether or not a public key should be created to represent the resident key. Valid options are
not specified
,Yes
, orNo
. Defaults tonot specified
.- signature
Algorithms string[] A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are
ES256
,ES384
,ES512
,RS256
,RS384
,RS512
, andRS1
.- user
Verification stringRequirement Specifies the policy for verifying a user logging in via WebAuthn. Valid options are
not specified
,required
,preferred
, ordiscouraged
. Defaults tonot specified
.
- acceptable_
aaguids Sequence[str] A set of AAGUIDs for which an authenticator can be registered.
- attestation_
conveyance_ strpreference The preference of how to generate a WebAuthn attestation statement. Valid options are
not specified
,none
,indirect
,direct
, orenterprise
. Defaults tonot specified
.- authenticator_
attachment str The acceptable attachment pattern for the WebAuthn authenticator. Valid options are
not specified
,platform
, orcross-platform
. Defaults tonot specified
.- avoid_
same_ boolauthenticator_ register When
true
, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults tofalse
.- create_
timeout int The timeout value for creating a user's public key credential in seconds. When set to
0
, this timeout option is not adapted. Defaults to0
.- relying_
party_ strentity_ name A human readable server name for the WebAuthn Relying Party. Defaults to
keycloak
.- relying_
party_ strid The WebAuthn relying party ID.
- require_
resident_ strkey Specifies whether or not a public key should be created to represent the resident key. Valid options are
not specified
,Yes
, orNo
. Defaults tonot specified
.- signature_
algorithms Sequence[str] A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are
ES256
,ES384
,ES512
,RS256
,RS384
,RS512
, andRS1
.- user_
verification_ strrequirement Specifies the policy for verifying a user logging in via WebAuthn. Valid options are
not specified
,required
,preferred
, ordiscouraged
. Defaults tonot specified
.
- acceptable
Aaguids List<String> A set of AAGUIDs for which an authenticator can be registered.
- attestation
Conveyance StringPreference The preference of how to generate a WebAuthn attestation statement. Valid options are
not specified
,none
,indirect
,direct
, orenterprise
. Defaults tonot specified
.- authenticator
Attachment String The acceptable attachment pattern for the WebAuthn authenticator. Valid options are
not specified
,platform
, orcross-platform
. Defaults tonot specified
.- avoid
Same BooleanAuthenticator Register When
true
, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults tofalse
.- create
Timeout Number The timeout value for creating a user's public key credential in seconds. When set to
0
, this timeout option is not adapted. Defaults to0
.- relying
Party StringEntity Name A human readable server name for the WebAuthn Relying Party. Defaults to
keycloak
.- relying
Party StringId The WebAuthn relying party ID.
- require
Resident StringKey Specifies whether or not a public key should be created to represent the resident key. Valid options are
not specified
,Yes
, orNo
. Defaults tonot specified
.- signature
Algorithms List<String> A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are
ES256
,ES384
,ES512
,RS256
,RS384
,RS512
, andRS1
.- user
Verification StringRequirement Specifies the policy for verifying a user logging in via WebAuthn. Valid options are
not specified
,required
,preferred
, ordiscouraged
. Defaults tonot specified
.
Import
Realms can be imported using their name. Examplebash
$ pulumi import keycloak:index/realm:Realm realm my-realm
Package Details
- Repository
- Keycloak pulumi/pulumi-keycloak
- License
- Apache-2.0
- Notes
This Pulumi package is based on the
keycloak
Terraform Provider.